Ubuntu – Precautions during SSH


Possible Duplicate:
How can I audit users and access attempts to SSH on my server?

I recently had to give away my Ubuntu 12.10 root password to one of my friends so that he could SSH into my system and send some files to me. Now he is my friend and I trust him so I was not reluctant in sharing my password. And I did change it afterwards.

But it just struck me how can I view all the commands that were executed by some other user remote logging into my system (obviously not my friend. I mean in general).To what extent can they access my data (especially my passwords eg I use Last Pass so can they access my account passwords as well??)
And if they open any browser after logging into my system do they have access to all my passwords provided I have saved them using the "remember password" option given by chrome

Also what precautions I should take when I am allowing some one to remote login in my system and how can I track the various commands used by them or the changes they made in my system. Also is there some simple way to get notified whenever some one logs into my system apart from checking the /var/log/auth.log file??

Best Answer

There was a similar problem that struck me after reading this question here on AskUbuntu and checking my VPS, only to see a bazillion of brute force attempts. That is when I decided to take action.

Now according to the question I linked to, if you would like to see failed login attempts on your machine over ssh (could be brute force attempts or anything), try typing this:

grep sshd.\*Failed /var/log/auth.log | less

If the output consists of multiple lines, that is many brute force attempts, especially if they have happened between short intervals, you might want to do the following pieces of action:

Change the ssh configuration file

To do this, open the file located at /etc/ssh/sshd_config with your favourite editor, like this vim /etc/ssh/sshd_config.

1. Try to move ssh from port 22: Now locate the line that reads:

# What ports, IPs and protocols we listen for
Port 22

and comment out Port 22, and use anyone you might like. Example:

# What ports, IPs and protocols we listen for
# Port 22
Port 28934

Please remember that ports below 1024 need special (root) permission. I do not know how this could interfere with it, but I am just saying.

2. Disable Root logins via ssh: Since the root username is predictable and provides complete access to your system, providing unfettered access to this account over SSH is unwise. Locate the line reading PermitRootLogin and set it to no.

PermitRootLogin no

3. Disable password authentication: Generate and use SSH keys to log into your system. Without passwords enabled, attackers will need to guess (or steal) your SSH private key in order to gain access to your server. Something that is very very difficult. Proceed to find the line that reads PasswordAuthentication and set it to no

PasswordAuthentication no

!WARNING! Before doing so, please consult this guide over here on how to set up certificate authentication.

NOTE: After you have made the changes use sudo /etc/init.d/ssh restart. To connect to another port via ssh use: ssh username@hostname.com -p <port_number>.

Setup a firewall

Please check out this guide on how to set up the extremely powerful and effective firewall, which is integrated into Linux, IPTables.

Setup scripts to help you with security

One that I use personally and quickly comes to mind is Fail2Ban. Fail2ban will monitor your log files for failed login attempts. After an IP address has exceeded the maximum number of authentication attempts, it will be blocked at the network level and the event will be logged in /var/log/fail2ban.log. To install it: sudo apt-get install fail2ban

Check command history via ssh

There is a linux command, named history, which allows you to see which commands have been input up until that point. Try typing history in a terminal to get to see all commands up to that point. It could help if you were root.

To search for a particular command try: history | grep command-name

To list all commands after ssh: fc -l ssh

You can also edit commands using vi (haven't tried it vim, though I assume it works as well): fc -e vi

You can also delete the history: history -c

NOTE: If you are not a fan of the command history there is also a file in your home directory (cd ~), called .bash_history (if you are using bash) that you can cat to see all that has been typed in the bash shell.